Simmering discontent over PCI data security standard boiled over in October month when the National Retail Federation (NRF) publicly called on credit card companies to take more responsibility for storing card data.
In a terse letter to the PCI Security Standards Council, which oversees implementation of the standard, NRF CIO David Hogan called on credit card companies to stop making retailers "jump through hoops to create an impenetrable fortress" to protect card data.
Instead, he asked the council to work with retailers "to eliminate the incentive for hackers to break into their systems in the first place".
The letter from the NRF, whose members include most major US retailers, was sent after many of the trade association's members apparently failed to meet a deadline to comply with the PCI data security standard.
The standard requires retailers to implement a set of prescribed controls for protecting cardholder data. Compliance is mandated by credit card companies Visa International, MasterCard International, American Express, Discover Financial Services and the Japan Credit Bureau.
About 325 Tier 1 merchants, those that process more than 6m credit card transactions per year, are subject to monthly fines of $5,000 to $25,000 for failing to comply with the standard.
In an interview, Hogan argued that retailers and others accepting payment-card transactions should not have to comply with the PCI mandate that they store certain card data for up to 18 months in case it's needed to mitigate disputes.
He suggested that credit card companies and their banks, not retailers, should be responsible for storing the data.
In that case, Hogan said, retailers would only need to store an authorisation code provided at the time of a sale to validate a charge, plus a receipt with truncated credit card information to handle returns and refunds.
"It is a very fundamental shift," he said. "But if you think about it, it is a very common sense approach."
The PCI mandates now require that retailers build unnecessary "fortresses" around credit card data, Hogan said. "We build these higher walls, and the hackers bring in taller ladders, and this kind of keeps scaling up all the time," he added.
Gartner analyst Avivah Litan said that the NRF letter makes a "sound argument. "It's totally reasonable to tell the banking system and payment system that 'We don't want to store this data anymore,'" Litan said. "If they aren't storing this data, many of these [PCI] requirements go away, and the scope of the compliance effort is much more restricted."
Visa, which has been at the forefront of the PCI initiative, did not respond to a request for comment on the NRF letter.
A Visa spokesman, however, did note that a section of the PCI rules require that retailers purge their systems of certain types of card holder data, such as card-verification codes and block data for personal identification numbers (PIN).
IT managers and security experts listed various frustrations with PCI regulations and those who enforce them in explaining why some retailers are missing the deadline.
Amer Deeba, chief marketing officer and vice president of product marketing at Qualys, a vendor of IT security systems, noted that large companies with highly distributed, older computing environments can expect to have an especially hard time applying PCI security controls.
"Many of the big [retailers] are handling credit card information from all around the world and storing it in legacy systems that are no longer supported or updated" Deeba said.
It took a yearlong effort for Steak n Shake, a Tier 1 merchant, to comply with the PCI standard, said Sean Smith, technology director at the restaurant chain.
The rigorous effort, he said, included the creation of security controls, such as systems to monitor file integrity and capture event log data, for a "very legacy environment."
A proper security upgrade in a distributed legacy environment could require system upgrades and months of dedicated manpower that could cost millions of dollars, Gartner's Litan noted.
The high potential cost has prompted many retailers to apply "Band-Aids to patch the problems" while they juggle other priorities at the same time, she said, adding that "the effort is far from straightforward."
Jay White, global information protection architect at Chevron, noted that different PCI auditors often interpret the regulations differently.
"The biggest challenge with PCI is that you are at the mercy of the auditors and their skill set," White said. With some auditors, "everything becomes black and white," while others take a more nuanced view of the controls a company might have in place, he said.
White noted that Chevron has implemented a lot of controls that are not PCI-specific and are instead part of a core set of steps the company has taken to address multiple compliance objectives.
While the PCI standard allows companies to use certain alternative controls under some circumstances, PCI auditors may disagree on what measures are OK.
"The result is that a lot of companies have gone through multiple assessments and keep getting a lot of different answers," about their compliance, said Alan Bird, vice president of business development at Cyber-Ark Software, a security vendor. "A lot of people are filing a lot of papers to get their compensating controls signed off as being compliant."
White said that Chevron has dedicated "literally an army of people" to ensure that the company complies with PCI and other regulatory requirements.
He noted that as part of the effort, the oil company set up a technical control board to, among other things, keep track of vulnerabilities, patches and other security issues that could affect compliance.
"I can see where companies can run into problems if they are treating security as an afterthought," he added.
Steve Schlarman, chief compliance strategist at Brabeion Software, a developer of compliance management software, said it's important that companies sustain efforts to comply with the PCI standard.
"Sustainability is a key point," he said. "In most organisations, their network of today is not what their network of tomorrow is going to look like."
Branden Williams, director of the PCI practice at security vendor VeriSign, added that retailers must continually take into account ongoing changes in the business and threat environments to avoid falling out of compliance.
"[Retailers] are treating PCI like a project and not as a journey," and therefore they often fail to implement adequate program management processes, he said.
And even companies that do achieve PCI compliance "are often just one change control away from non-compliance," Williams said.
Though the credit card companies have kept mum about whether retailers have been penalised for non-compliance, Garter noted in a report that several companies were fined even before the deadline.
For example, Visa levied over $4.5m in fines in 2006 and $3.4m a year earlier, the report said.
The fines were assessed against merchant banks that authorise retailers to accept credit card transactions. The banks, in turn, passed the fines along to the merchants, the report noted.
Fines were also levied against companies that had been hit with data breaches or had been found to be storing magnetic stripe data contained on credit cards.
Bird noted that the decision by credit card companies not to announce the fines may be causing some merchants to believe the standards are not being seriously enforced.
"If the credit card brands want this thing to move ahead," Bird said, "they are going to have to publicly levy some pretty hefty fines against major retailers" for non-compliance with PCI requirements.